Skip to content

Click on each book below to review & buy on Amazon.

As an Amazon Associate, I earn from qualifying purchases.

LPI Linux Essentials Exam 010-160 - Topic 5.1 - Finding User Information

Introduction to Finding User Information in Linux

In the realm of Linux, a versatile and robust operating system, understanding how to retrieve and interpret user information is a fundamental skill. This guide aims to illuminate various commands that serve this purpose, each offering a unique lens through which user data can be viewed and understood. These commands, integral to system administration and security, provide insights into who is using the system, their activities, and historical login information.

Each command discussed in this guide serves a specific function:

  • id: Reveals the user's identity and group information.
  • who: Displays who is currently logged into the system.
  • w: Provides a detailed view of the current users on the system, including their activities.
  • last: Shows a list of the last logged-in users, helping in tracking user activity over time.
  • lastlog: Offers information about the last login of all users, a crucial tool for monitoring user access.

Understanding these commands not only enhances your ability to manage and secure a Linux system but also deepens your knowledge of the intricate workings of user management within the Linux environment. Let's delve into each command, starting with the id command, to gain a comprehensive understanding of these tools.

id Command: Understanding User and Group Information

The id command in Linux is a concise yet informative tool used for identifying and displaying user and group information for a given user account. When executed, it provides a snapshot of a user's identity, revealing their user ID (UID), the groups they belong to, along with the group IDs (GIDs).

When you run the id command, the output typically appears in the following format:

uid=1001(username) gid=1001(groupname) groups=1001(groupname),1002(othergroup)
  • uid=1001(username): This part indicates the user's ID (uid) and their username. In Unix and Linux, each user is assigned a unique UID. It's a numerical representation of the user's identity. In this example, the UID is 1001, and the corresponding username is indicated within the parentheses.
  • gid=1001(groupname): This section shows the user's primary group ID (gid) and the name of this primary group. Every user in Linux is a member of at least one group, and this primary group is used by default for file permissions and other access controls. In the example, 1001 is the GID of the primary group named 'groupname'.
  • groups=1001(groupname),1002(othergroup): This part lists all the groups the user belongs to, along with their GIDs. The first group in this list is usually the primary group. Additional groups provide extended permissions and access rights to the user. Here, the user is part of two groups, 'groupname' with GID 1001 and 'othergroup' with GID 1002.

The id command is particularly useful in various scenarios:

  • User Verification: Quickly confirming the identity of the current user or any other user on the system.
  • Scripting and System Administration: Automating tasks or scripts that require user and group ID checks.
  • Security Audits: Ensuring correct permissions and group memberships for users, especially in sensitive or restricted environments.

In the following section, we will explore the who command, which offers insights into who is currently logged into the system.

who Command: Identifying Currently Logged-in Users

The who command in Linux is a straightforward yet vital tool used to display a list of all users currently logged into the system. This command offers a quick way to see who is accessing the system at any given moment, which is particularly useful in multi-user environments or for monitoring purposes.

Executing the who command typically produces an output similar to this:

username1  tty1         2023-12-08 09:00 (:0)
username2  pts/1        2023-12-08 09:05 (

Each line of the output represents a user session and contains the following information:

  • username1, username2: These are the usernames of the users who are currently logged in.
  • tty1, pts/1: These fields show the terminal associated with the user's session. 'tty' stands for teletypewriter and refers to a physical terminal. 'pts' stands for pseudo-terminal slave, indicating a terminal session that is usually remote, like through SSH.
  • 2023-12-08 09:00, 2023-12-08 09:05: These timestamps show when the users logged into the system.
  • (:0), ( These are the hostnames or IP addresses from where the users are accessing the system. '(:0)' typically denotes a local console session, whereas an IP address, like '', indicates a remote session.

The who command is particularly useful for:

  • Monitoring User Activity: Quickly assessing who is currently accessing the system.
  • Security: Identifying unauthorized access or sessions that need to be audited.
  • System Management: For administrators to monitor user activity and manage system resources accordingly.

The next section will delve into the w command, which extends the functionality of who by providing more detailed information about the users' current activities.

w Command: Detailed View of Current User Sessions

The w command in Linux is an enhanced tool that not only shows who is logged into the system, like the who command, but also provides detailed information about what each user is doing. This command is particularly valuable for system administrators for monitoring user activity in real-time.

Running the w command generates an output that typically looks like this:

 10:10:17 up 1 day,  3:45,  5 users,  load average: 0.45, 0.70, 0.66
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
username1 tty1    :0               09:00    1:10m  0.13s  0.00s /usr/lib/xorg/Xorg
username2 pts/1     09:05    5.00s  0.20s  0.20s sshd: username2
  • 10:10:17 up 1 day, 3:45: This shows the current time, how long the system has been running (uptime), and the load average. The load average represents the average system load over the last 1, 5, and 15 minutes.
  • USER, TTY, FROM, LOGIN@, IDLE, JCPU, PCPU, WHAT: These columns provide detailed information about each user session:
    • USER: The username of the user.
    • TTY: The terminal associated with the user session.
    • FROM: The hostname or IP address from where the user is accessing the system.
    • LOGIN@: The time when the user logged in.
    • IDLE: The idle time of the user session.
    • JCPU: The time used by all processes attached to the terminal.
    • PCPU: The time used by the current process, as shown in the WHAT column.
    • WHAT: The command currently being executed by the user, or the most recent command if the user is idle.

The w command is especially useful for:

  • Real-Time Monitoring: Providing a snapshot of user activities and system load, helping in identifying resource-intensive processes or users.
  • Troubleshooting and Performance Analysis: Assisting in diagnosing issues related to user sessions or system performance.
  • Security and Auditing: Identifying potential unauthorized or suspicious activities by examining user commands and login origins.

In the next section, we will explore the last command, which is key for reviewing past user login sessions and tracking user activity over time.

last Command: Tracking User Login History

The last command in Linux is a powerful tool for reviewing past user login sessions. It reads from the /var/log/wtmp file, which records all logins and logouts. This command is invaluable for system administrators to track user activity over time, aiding in security audits and historical analysis of system access.

When you execute the last command, it typically yields an output similar to this:

username1  tty1         :0               Thu Dec  8 09:00   still logged in
username2  pts/1     Thu Dec  8 09:05 - 09:10  (00:05)

Each line in the output contains the following details:

  • username1, username2: The usernames of the users who have logged into the system.
  • tty1, pts/1: The terminals associated with the users' sessions. 'tty' is used for local logins, and 'pts' indicates remote logins, like those through SSH.
  • :0, The source of the login. ':0' indicates a local login, while an IP address signifies a remote login.
  • Thu Dec 8 09:00, Thu Dec 8 09:05: These are the dates and times when the users logged in.
  • still logged in, 09:10 (00:05): The logout time and the duration of the session. 'still logged in' indicates that the user session is currently active.

The last command is particularly effective for:

  • Historical User Activity Review: Analyzing who accessed the system and when, over a period of time.
  • Security Analysis: Detecting unusual login patterns or identifying unauthorized access.
  • System Maintenance: Understanding usage patterns for planning maintenance or upgrades.

In the forthcoming section, we will discuss the lastlog command, which complements the last command by providing the most recent login information for all users, thus offering a comprehensive view of user access history.

lastlog Command: Displaying Latest Login Records

The lastlog command in Linux is used to display the latest login information for all users. This command is crucial for administrators who need to monitor the most recent login activity of all accounts on a system. It provides a quick overview of the last login time for each user, helping in identifying inactive accounts or recent user activities.

When you run the lastlog command, the output typically looks like this:

Username         Port     From             Latest
username1        tty1     :0               Thu Dec  8 09:00:17 +0000 2023
username2        pts/1     Thu Dec  8 09:05:42 +0000 2023

The output columns provide the following information:

  • Username: The name of the user account.
  • Port: The terminal or interface through which the user last logged in. For instance, 'tty1' for a local login and 'pts/1' for a remote login session.
  • From: This shows the origin of the login, such as an IP address for remote logins or ':0' for local logins.
  • Latest: The date and time of the user's last login. This information is vital for tracking user activity and identifying unused or potentially compromised accounts.

The lastlog command is particularly valuable for:

  • Security Monitoring: Identifying accounts that have been recently accessed, which can be useful in the case of a security breach or for routine audits.
  • User Account Management: Determining inactive accounts which might need to be disabled or removed for security and resource management.
  • Compliance and Auditing: Providing necessary data for compliance with various IT standards and regulations that require monitoring of user login activities.

This concludes our guide on finding user information in Linux. Each command we've discussed – id, who, w, last, and lastlog – offers unique insights into user activities and system access patterns, making them indispensable tools for effective system administration and security monitoring in Linux environments.

Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.